A new hacker-for-hire mercenary group was discovered and documented by BlackBerry’s security team earlier this year which they tied to attacks to victims all over the world.
The group named as CostaRicto, is the fifth hacker-for-hire group discovered this year after BellTrox (aka Dark Basin), DeathStalker (aka Deceptikons), Bahamut and an unnamed group.
This is the second hackers-for-hire operation discovered by Blackberry, the first being a series of campaigns by a group called Bahamut which were exploiting zero-day flaws, malicious software, and disinformation operations to track targets located in the Middle East and South Asia.
Details about CostaRicto’s current origins and whereabouts are unknown. It is known that the group has organized attacks across different countries in Europe, the Americas, Asia, Australia, and Africa.
BlackBerry says that the targets are mainly concentrated from South Asia, and especially India, Bangladesh, and Singapore, which suggests that the threat actor could be based in the region.
The BlackBerry Research and Intelligence Team reported that the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.
The group is using custom-built and never-before-seen malware but they are not operating using any innovative techniques.
Their attacks mostly depend on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan which has been named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and gather important documents.
The data is usually sent back to CostaRicto command-and-control infrastructure, which is usually hosted on the dark web, and accessible only via Tor.
The infected hosts usually connect these servers using a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All the CostaRicto malware samples discovered by BlackBerry were traced back to as early as October 2019, but it is suggested from other clues that the group might have been active from as far back as 2017.
Image Credits : CPO Magazine